I tried to modify some existing systemd services by adding script into preStart and I can’t make it to work. I get Bad system call in log. After some research I realized that sed -i doesn’t play well with SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ].
I don’t want to break the excellent security hardening that the module maintainer did by removing SystemCallFilter, but I can’t figure out what to add into SystemCallFilter to make the sed -i functional.
I know that permissions are OK (I can cp x y a file) but modification sed -i ... y does something outside of the SystemCallFilter above. I googled and tried a lot of options but I’m can’t find what to add…